An error occurred:

Check: GEN005507

VMware ESX 3 Server: GEN005507 (in version v1 r2)

Title

The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. (Cat II impact)

Discussion

DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions.

Check Content

Check the SSH daemon configuration for allowed MACs. Procedure: # grep -i macs /etc/ssh/sshd_config | grep -v '^#' If no lines are returned, or the returned MACs list contains any MAC that is not hmac-sha1 or a better hmac algorithm that is on the FIPS 140-2 approved list, this is a finding.

Fix Text

Edit the SSH daemon configuration and remove any MACs that are not hmac-sha1 or a better hmac algorithm that is on the FIPS 140-2 approved list. If necessary, add a MACs line.

Additional Identifiers

Rule ID: SV-26753r2_rule

Vulnerability ID: V-22460

Group Title: GEN005507

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001453

Implement cryptographic mechanisms to protect the integrity of remote access sessions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-17(2)

Protection of Confidentiality and Integrity Using Encryption